diff options
-rw-r--r-- | Changelog | 4 | ||||
-rw-r--r-- | snippets/apache2-static.conf | 16 | ||||
-rw-r--r-- | snippets/apache2.conf | 19 | ||||
-rw-r--r-- | snippets/nginx-static.conf | 15 | ||||
-rw-r--r-- | snippets/nginx.conf | 19 |
5 files changed, 40 insertions, 33 deletions
@@ -24,6 +24,10 @@ lacme (0.7.1) upstream; configuration file. + Improve nginx/apache2 snippets for direct serving of challenge files (with the new 'challenge-directory' logic symlinks can be disabled). + + Split Nginx and Apapche2 static configuration snippets into seperate + files. That way users prefering that over reverse-proxying can just + source/enable the relevant files without having to uncomment + anything. + Add support for TLS Feature extension from RFC 7633; this is mostly useful for OCSP Must-Staple. + client: use "lacme-client/$VERSION" as User-Agent header. diff --git a/snippets/apache2-static.conf b/snippets/apache2-static.conf new file mode 100644 index 0000000..9262179 --- /dev/null +++ b/snippets/apache2-static.conf @@ -0,0 +1,16 @@ +# Use Apache2 to serve ACME requests directly. +# This snippet requires setting challenge-directory = /var/www/acme-challenge +# in /etc/lacme/lacme.config, and creating this file with write +# permissions for the lacme client user. +# +# This file needs to be sourced to the server directives (at least the +# non-ssl one) of each virtual host requiring authorization. + +<IfModule mod_alias.c> + Alias /.well-known/acme-challenge/ /var/www/acme-challenge/ + <Directory /var/www/acme-challenge/> + Options none + AllowOverride none + Require all granted + </Directory> +</IfModule> diff --git a/snippets/apache2.conf b/snippets/apache2.conf index 69d80a7..31dd95a 100644 --- a/snippets/apache2.conf +++ b/snippets/apache2.conf @@ -1,29 +1,12 @@ -# Use Apache2 to serve ACME requests; either directly, or by passing -# them over to a locally-bound lacme webserver component. +# Use Apache2 to proxy ACME requests to a locally-bound lacme webserver. # # This file needs to be sourced to the server directives (at least the # non-ssl one) of each virtual host requiring authorization. # Alternatively, run `a2enconf lacme` and reload apache2. - -# Pass ACME requests to lacme's webserver component <IfModule mod_proxy_http.c> <Location /.well-known/acme-challenge/> ProxyPass unix://@@runstatedir@@/lacme-www.socket|http://localhost/.well-known/acme-challenge/ Require all granted </Location> </IfModule> - - -## Alternatively, you can let Apache2 serve the requests by -## setting 'challenge-directory' to '/var/www/acme-challenge' in -## lacme's configuration file and uncomment the following: - -#<IfModule mod_alias.c> -# Alias /.well-known/acme-challenge/ /var/www/acme-challenge/ -# <Directory /var/www/acme-challenge/> -# Options none -# AllowOverride none -# Require all granted -# </Directory> -#</IfModule> diff --git a/snippets/nginx-static.conf b/snippets/nginx-static.conf new file mode 100644 index 0000000..febe4dc --- /dev/null +++ b/snippets/nginx-static.conf @@ -0,0 +1,15 @@ +# Use Nginx to serve ACME requests directly. +# This snippet requires setting challenge-directory = /var/www/acme-challenge +# in /etc/lacme/lacme.config, and creating this file with write +# permissions for the lacme client user. +# +# One of the nginx*.conf file needs to be sourced to the server +# directives (at least the non-ssl one) of each virtual host requiring +# authorization. + +location ^~ /.well-known/acme-challenge/ { + alias /var/www/acme-challenge/; + default_type application/jose+json; + disable_symlinks on; + autoindex off; +} diff --git a/snippets/nginx.conf b/snippets/nginx.conf index 76309f0..891a834 100644 --- a/snippets/nginx.conf +++ b/snippets/nginx.conf @@ -1,20 +1,9 @@ -# Use Nginx to serve ACME requests; either directly, or by passing them -# over to a locally-bound lacme webserver component. +# Use Nginx to proxy ACME requests to a locally-bound lacme webserver. # -# This file needs to be sourced to the server directives (at least the -# non-ssl one) of each virtual host requiring authorization. +# One of the nginx*.conf file needs to be sourced to the server +# directives (at least the non-ssl one) of each virtual host requiring +# authorization. location ^~ /.well-known/acme-challenge/ { - # Pass ACME requests to lacme's webserver component proxy_pass http://unix:@@runstatedir@@/lacme-www.socket; - - - ## Alternatively, you can let nginx serve the requests by - ## setting 'challenge-directory' to '/var/www/acme-challenge' in - ## lacme's configuration file and uncomment the following: - - # alias /var/www/acme-challenge/; - # default_type application/jose+json; - # disable_symlinks on; - # autoindex off; } |